RDK-V Emulator containers

Summary

The purpose of this section is to describe the  new implemented solution to have a secure containerized RDK build on emulator. This implementation done from the reference of

Raspberry pi platform.

The intent of this page is to be used as a walk-through to all the relevant information present in the section.

Detailed organization

The section is organized in two main subsections, as the following:

• Implementation details: here is described all the relevant developments to have containers working.
• Implemented containers: here is detailed information about each container that is already implemented.

Most of the information is present in Implementation details, that is organized as the following:

• Containers layer - meta-rdk-containers: this subsection has all the information about the new layer, meta-rdk-containers, that was created to support all configurations, recipes, scripts, etc. about containers. 
  • Build-time containers framework: this subsection describes how the new framework to build containers in build-time is implemented. Main focus in the following topics:
    • Common configuration files: brief description of common configuration files that can shared by all containers configuration files.
    • Build time Systemd update: describes how to remove, disable and mask systemd services at build time from the host.
    • containers-build: describes the new recipe added to create containers in build time (containers-build_0.1.bb).
    • Ordered containers list: describes how to define the list of containers.
      • Start Block Containers: describes how to start specific containers as block containers.
    • start_containers.sh: script responsible to start the containers when the emulator boots.
    • containers.service: main service for containers, responsible to launch all scripts and ensure the dependencies needed to have containers working properly (e.g, start_containers.sh, create_bridge.sh).
  • Layer configurations: brief description of the configurations for the new layer, including the new machine to generate secure containerized builds (qemux86hybsecure).
  • Secure bitbake targets: new bitbake targets/images and needed packagegroups to generate secure containerized builds (e.g., rdk-generic-hybrid-lxc-image).
  • Support files: this page describes some "minor" changes, usually to existing recipes, to support secure containers build, such as add support to new machine, apply patches, etc.
  • TDK containerized emulator build: describes the configurations added to the containerize emulator build to enable TDK agent and allow running TDK tests.
    
    • TDK add-ons: describes some changes applied to secure build for the TDK to work properly.
      • Allow IARMBus to access dbus: dbus allowing rules for IARMBus component;
      • Allow devicesettings module to access dbus/iarmBus: dbus allowing rules for devicesettings component;
      • Iptables TDK rules: describes the added rules in iptables to allow TDK trafic .
    • TDK Test Results - non-containerized hybrid emulator VS containerized hybrid emulator
       
  This section has also some tutorials explaining how to use the new layer and the new framework to create new containers - "how to's":
  • Create a new container in build time: describes how to add a new container to a secure containerized build.
    • How to add block init capability to a container at build time: describes all the necessary steps to add declare a container as block container.
  • Play a video using rmfstreamer: describes how to play a video using rmfstreamer.
  • Setup a platform build to use containers: describes what to do to setup a new platform build to use containers.
  • How to generate a containerize TDK hybrid emulator image: describes the steps needed to build a containerized hybrid emulator build with TDK agent enabled.
     
• Network configuration: this subsection has all the information about the network configuration needed to fully support a secure containerized build. Focus in:
  • Bridge setup: describes the main network configuration of the emulator.
  • Hosts: describes changes made to hosts file (/etc/hosts) to facilitate the support of "network capable" containers.
  • iptables: describes how firewall/redirect/nat rules are being used, using iptables tool, to support containers.
    • iptables architecture: detailed implementation about the mechanism used to manage all iptables rules.

    • rmfserv iptables rules: iptables rules for rmfserv container.

    • REDIRECT rules: describes the changes made to enable REDIRECT rules.
      
      

Implemented containers is updated with all containers that are already implemented. Currently, the following ones are available:

• dbus: runs dbus processes;
• rmfserv: runs rmfstreamer;
  • How to play a video using rmfstreamer: Explain an easy way for testing the containerized rmfstreamer
  • Network configuration: Explains the secure network configuration needed to support containerized rmfstreamer
• rdk-base: runs most of RDK processes, except the ones that are already running in a separate container.

In order to support some changes to existing code, some patches are applied to support secure containerized build. The full list of patches is available in Containers.

repo init -u https://code.rdkcentral.com/r/manifests -b rdk-next -m rdkv-asp-extsrc.xml

repo sync --no-tags

source meta-cmf-bsp-emulator/setup-environment
meta-rdk-containers/conf/machine/qemux86hybsecure.conf

bitbake rdk-generic-hybrid-lxc-image